[ale] Using SSHFP resource records

Stephen Cristol stephen at bee.net
Tue Sep 23 00:24:35 EDT 2008


I solved the problem I was having with SSHFP. It is now (and  
presumably was) working.

Where I was getting into trouble was that I was trying to connect to  
"server". Once I tried connecting to "server.home.lan" (the FQDN on  
my home network), it worked.

Now, if only DNS were secure....

S


On Sep 14, 2008, at 1:17 PM, Stephen Cristol wrote:
> Can anyone provide guidance in setting up SSHFP resource records?
> This seemed like a simple thing to do, but I can't get it to work.
> I'm experimenting with two CentOS 5.2 boxes ("server", "local");
> "server" has the BIND 9.3.4 name server running.
>
> [server]$ cd /etc/ssh
> [server]$ ssh-keygen -r server.home.lan -f ssh_host_rsa_key.pub
> server.home.lan IN SSHFP 1 1 7d039453c6a636b2f00506b72f402b777ac4860f
> [server]$ ssh-keygen -l -f ssh_host_rsa_key.pub
> 2048 1e:97:48:ee:f2:8b:40:7d:c1:28:7c:8e:75:e4:70:c1
> ssh_host_rsa_key.pub
> [server]$
>
> I've placed the SSHFP record generated by "ssh-keygen -r" in my DNS.
> I think that was done correctly since I can retrieve the record on
> "local":
>
> [local]$ host -t sshfp server
> server.home.lan has SSHFP record 1 1
> 7D039453C6A636B2F00506B72F402B777AC4860F
> [local]$
>
> I deleted the "server" entry in my known_hosts file and tried to
> connect via ssh (OpenSSH_4.3p2) with DNS host key verification:
>
> [local]$ ssh -o 'VerifyHostKeyDNS ask' server
> The authenticity of host 'server (192.168.2.1)' can't be established.
> RSA key fingerprint is 1e:97:48:ee:f2:8b:40:7d:c1:28:7c:8e: 
> 75:e4:70:c1.
> No matching host key fingerprint found in DNS.
> Are you sure you want to continue connecting (yes/no)? no
> Host key verification failed.
> [local]$
>
> The fingerprint of the host key presented matches the fingerprint
> computed on "server" with "ssh-keygen -l" (above).
>
> Thanks,
> S


More information about the Ale mailing list